Back to Intelligence

THEGENTLEMEN Ransomware: Healthcare & Logistics Surge — ScreenConnect Exploitation & Detection

SA
Security Arsenal Team
June 4, 2026
6 min read

Aliases & Affiliation: THEGENTLEMEN is a relatively new but aggressive player in the ransomware-as-a-service (RaaS) ecosystem. While currently operating independently, their sophisticated leak site design and professional victim communications suggest a lineage involving former affiliates from established gangs like LockBit or BlackCat.

Operational Model:

  • RaaS Structure: They operate on a standard affiliate model, focusing on high-volume encryptors and automated data exfiltration tools.
  • Ransom Demands: Demands range from $500k to $5M USD, heavily weighted based on the victim's revenue and the sensitivity of exfiltrated PHI (Protected Health Information).
  • Dwell Time: Average dwell time is short, typically 3–5 days from initial access to encryption, indicating a high degree of automation in their post-exploitation toolkit.

TTPs & Extortion: THEGENTLEMEN relies heavily on "double extortion." They aggressively exfiltrate data before detonating the payload. Their leak site features a countdown timer and public pressure tactics. Initial access vectors predominantly focus on exposed remote management interfaces and unpatched edge services.

Current Campaign Analysis

Campaign Overview (2026-06-01 to 2026-06-03): In the last 72 hours, THEGENTLEMEN has posted 15 new victims, signaling a significant acceleration in operations (Victim count: 21 in last 100 postings).

Sector Targeting:

  • Healthcare (33% of recent victims): Distinct focus on Surgical Centers and Medical Associates (Michigan Surgical, Edgewood Surgical, Downriver Medical). This suggests affiliates are specifically hunting for organizations rich in PHI to maximize extortion leverage.
  • Logistics & Manufacturing: Targeting of Thoresen Thai Agencies (TH) and Liztex Guatemala (GT) indicates a secondary focus on supply chain disruption.

Geographic Concentration: While the campaign is global, there is a heavy concentration in the United States (5 victims), followed by India (3) and Southeast Asia (Thailand, Singapore).

Initial Access Vector Correlation: The victimology correlates strongly with the exploitation of remote management software:

  • CVE-2024-1708 (ConnectWise ScreenConnect): High probability of use. The targeting of Business Services (3E Accounting) and Healthcare entities (who rely heavily on remote support tools) aligns with this CVE.
  • CVE-2026-48027 (Nx Console): Recently added to CISA KEV (May 27), its inclusion suggests affiliates are rapidly weaponizing new vulnerabilities in devops/console environments.
  • CVE-2025-52691 (SmarterMail): Likely used for initial access in the Technology sector (Computime Group).

Detection Engineering

Sigma Rules

YAML
---
title: Potential ScreenConnect Path Traversal Exploit
description: Detects potential exploitation of CVE-2024-1708 in ConnectWise ScreenConnect via suspicious URI patterns
id: 91e28122-1234-5678-9abc-def012345678
status: experimental
date: 2026/06/04
author: Security Arsenal
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
definition: 'Requirements: Logs must include the full URI query string'
detection:
    selection:
        cs-uri-query|contains:
            - '/Bin/*'
            - 'Authorization='
    condition: selection
falsepositives:
    - Legitimate administrative access (rare for these patterns)
level: high
tags:
    - attack.initial_access
    - cve.cve-2024-1708
    - ransomware.the-gentlemen
---
title: Mass Data Staging via Archiving Tools
description: Detects mass data staging commonly seen before exfiltration by THEGENTLEMEN affiliates
date: 2026/06/04
author: Security Arsenal
status: experimental
logsource:
    category: process_creation
    product: windows
definition: 'Requirements: Sysmon or Security logging with command line details'
detection:
    selection_img:
        Image|endswith:
            - '\winrar.exe'
            - '\7z.exe'
            - '\powershell.exe'
    selection_cli:
        CommandLine|contains:
            - '-m0'
            - '-mx9'
            - 'Compress-Archive'
    filter_legit:
        ParentImage|contains:
            - '\Program Files\'
    condition: selection_img and selection_cli and not filter_legit
falsepositives:
    - Administrator backups
level: high
tags:
    - attack.exfiltration
    - attack.collection
    - ransomware.the-gentlemen
---
title: Lateral Movement via PsExec
description: Detects the use of PsExec for lateral movement, a favorite of THEGENTLEMEN for spreading ransomware
id: a3b2c1d0-0000-0000-0000-000000000000
date: 2026/06/04
author: Security Arsenal
status: experimental
logsource:
    category: process_creation
    product: windows
definition: 'Requirements: Command line logging enabled'
detection:
    selection:
        Image|endswith: '\psexec.exe'
        CommandLine|contains:
            - '-accepteula'
            - '\\'
    condition: selection
falsepositives:
    - IT Administration
level: medium
tags:
    - attack.lateral_movement
    - attack.execution
    - attack.t1021.002
    - ransomware.the-gentlemen

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for rapid file modification and encryption indicators
DeviceProcessEvents  
| where Timestamp >= ago(7d)  
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe")  
| where ProcessCommandLine has_any ("-enc", "vssadmin", "wbadmin", "bcdedit")  
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName  
| summarize count() by DeviceName, ProcessCommandLine  
| where count_ > 5  
| order by count_ desc

PowerShell Response Script

PowerShell
# Hardening & Audit: Check for Scheduled Tasks registered in last 24 hours
# THEGENTLEMEN often uses scheduled tasks for persistence.

$DateThreshold = (Get-Date).AddDays(-1)
$SuspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt $DateThreshold }

if ($SuspiciousTasks) {
    Write-Host "[ALERT] Suspicious Scheduled Tasks found created/modified in last 24h:" -ForegroundColor Red
    $SuspiciousTasks | Format-List TaskName, TaskPath, Date, Author
} else {
    Write-Host "[INFO] No suspicious recent scheduled tasks detected." -ForegroundColor Green
}

# Audit: Check for Shadow Copy Deletion Attempts
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663; StartTime=$DateThreshold} -ErrorAction SilentlyContinue
if ($Events) {
    $VssEvents = $Events | Where-Object { $_.Message -like '*Shadow Copy*' -or $_.Message -like '*vssadmin*' }
    if ($VssEvents) {
        Write-Host "[ALERT] Shadow Copy manipulation events detected!" -ForegroundColor Red
    }
}


---

# Incident Response Priorities

1.  **T-Minus Detection Checklist:**
    *   **Validate ScreenConnect Integrity:** Audit ConnectWise ScreenConnect logs immediately for CVE-2024-1708 indicators (unusual authentication paths).
    *   **Check for SMB Enumeration:** Look for internal network scanning via `smbclient` or PowerShell `Get-SmbShare`.
    *   **Scheduled Task Audit:** Run the provided PowerShell script; THEGENTLEMEN uses Task Scheduler for detonation.

2.  **Critical Assets at Risk:**
    *   **EMR/EHR Databases:** High-value targets for exfiltration.
    *   **File Servers:** Central repositories for encryption.
    *   **Backup Appliances:** Attackers specifically target Veeam/BackupExec repositories to prevent recovery.

3.  **Containment Actions:**
    *   **Isolate:** Immediately disconnect internet-facing RDP and VPN gateways.
    *   **Disable:** Temporarily disable ScreenConnect and similar remote IT tools (AnyDesk, TeamViewer) until patched.
    *   **Credential Reset:** Force reset for all local admin and service accounts, especially those with access to backup systems.

---

# Hardening Recommendations

**Immediate (24 Hours):**
*   **Patch Edge:** Apply patches for CVE-2024-1708 (ScreenConnect) and CVE-2026-48027 (Nx Console) immediately.
*   **MFA Enforcement:** Enforce strict MFA on all VPN and remote access portals; hardware tokens preferred over SMS.
*   **Block Macros:** Disable macro execution in Office documents from the internet via Group Policy.

**Short-term (2 Weeks):**
*   **Network Segmentation:** Isolate critical medical/operational systems from the general corporate network to prevent lateral movement.
*   **EDR Deployment:** Ensure EDR coverage on 100% of endpoints and servers, specifically tuning for " PsExec" and "PowerShell EncodedCommand" alerts.
*   **Offline Backups:** Validate that a recent, immutable backup exists and is stored offline or in a WORM (Write Once Read Many) storage tier.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangthegentlementhe-gentlemenransomwarehealthcarecve-2024-1708screenconnect

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action